the-tcpdump-group/tcpdump

# TCPDUMP 4.x.y 由 [The Tcpdump Group](https://www.tcpdump.org/) 开发 **如需报告安全问题，请发送电子邮件至 security@tcpdump.org。** 如需报告错误和其他问题、贡献补丁、请求功能、提供一般反馈等，请参阅 tcpdump 源代码树根目录下的[贡献指南](CONTRIBUTING.md)。 可通过以下方式使用匿名 Git： ``` https://github.com/the-tcpdump-group/tcpdump.git ``` 本目录包含 tcpdump 的源代码，这是一个用于网络监控和数据采集的工具。 在过去几年中，得益于互联网社区的卓越贡献，tcpdump 得到了稳步改进（只需浏览[变更日志](CHANGES)即可了解）。我们感谢所有的投入。 ### 支持的平台 在许多操作系统中，tcpdump 以原生包或端口的形式提供，这简化了更新安装和长期维护。然而，原生包的版本有时会落后一些，若要尝试更新的快照，则需要从源代码编译 tcpdump。 tcpdump 至少可以在以下平台上编译和运行： 过去，tcpdump 肯定或很可能可以在以下平台上运行： ### 对 libpcap 的依赖 tcpdump 使用 libpcap，这是一个用于用户级数据包捕获的系统独立接口。如果您的操作系统未提供 libpcap，或者提供的 libpcap 不支持 libpcap 1.0 或更高版本的 API，则在构建 tcpdump 之前，您必须先获取并构建 libpcap。 一旦构建了 libpcap（安装它，或者确保它位于 `../libpcap` 中），您就可以按照[安装说明](INSTALL.md)中的步骤构建 tcpdump。 ### tcpdump 的起源 该程序大致基于 SMI 的“etherfind”，尽管目前未保留任何 etherfind 代码。它最初由 Van Jacobson 编写，作为一个正在进行的研究项目的一部分，旨在调查和改进 TCP 及互联网网关的性能。最初取自 Sun etherfind 的程序部分后来由 LBL 的 Steven McCanne 重写。为了确保 tcpdump 中不存在任何专有代码的痕迹，Steve 根据手册条目中给出的规范编写了这些部分，并未访问 tcpdump 或 etherfind 的源代码。 ``` formerly from Lawrence Berkeley National Laboratory Network Research Group ftp://ftp.ee.lbl.gov/old/tcpdump.tar.Z (3.4) ``` ### 另请参阅 Richard Stevens 在他的书 *《TCP/IP 详解 卷1》* 中对互联网协议进行了精彩的论述。如果您想了解更多关于 tcpdump 的知识以及如何解释其输出，请阅读这本书。 tcpdump 用户可能会发现另一个有用的工具是 [tcpslice](https://github.com/the-tcpdump-group/tcpslice)。 这是一个可用于提取 tcpdump 二进制跟踪文件部分的程序。 ### Steve McCanne、Craig Leres 和 Van Jacobson 撰写的原始 LBL README ``` This directory also contains some short awk programs intended as examples of ways to reduce tcpdump data when you're tracking particular network problems: send-ack.awk Simplifies the tcpdump trace for an ftp (or other unidirectional tcp transfer). Since we assume that one host only sends and the other only acks, all address information is left off and we just note if the packet is a "send" or an "ack". There is one output line per line of the original trace. Field 1 is the packet time in decimal seconds, relative to the start of the conversation. Field 2 is delta-time from last packet. Field 3 is packet type/direction. "Send" means data going from sender to receiver, "ack" means an ack going from the receiver to the sender. A preceding "*" indicates that the data is a retransmission. A preceding "-" indicates a hole in the sequence space (i.e., missing packet(s)), a "#" means an odd-size (not max seg size) packet. Field 4 has the packet flags (same format as raw trace). Field 5 is the sequence number (start seq. num for sender, next expected seq number for acks). The number in parens following an ack is the delta-time from the first send of the packet to the ack. A number in parens following a send is the delta-time from the first send of the packet to the current send (on duplicate packets only). Duplicate sends or acks have a number in square brackets showing the number of duplicates so far. Here is a short sample from near the start of an ftp: 3.00 0.20 send . 512 3.20 0.20 ack . 1024 (0.20) 3.20 0.00 send P 1024 3.40 0.20 ack . 1536 (0.20) 3.80 0.40 * send . 0 (3.80) [2] 3.82 0.02 * ack . 1536 (0.62) [2] Three seconds into the conversation, bytes 512 through 1023 were sent. 200ms later they were acked. Shortly thereafter bytes 1024-1535 were sent and again acked after 200ms. Then, for no apparent reason, 0-511 is retransmitted, 3.8 seconds after its initial send (the round trip time for this ftp was 1sec, +-500ms). Since the receiver is expecting 1536, 1536 is re-acked when 0 arrives. packetdat.awk Computes chunk summary data for an ftp (or similar unidirectional tcp transfer). [A "chunk" refers to a chunk of the sequence space -- essentially the packet sequence number divided by the max segment size.] A summary line is printed showing the number of chunks, the number of packets it took to send that many chunks (if there are no lost or duplicated packets, the number of packets should equal the number of chunks) and the number of acks. Following the summary line is one line of information per chunk. The line contains eight fields: 1 - the chunk number 2 - the start sequence number for this chunk 3 - time of first send 4 - time of last send 5 - time of first ack 6 - time of last ack 7 - number of times chunk was sent 8 - number of times chunk was acked (all times are in decimal seconds, relative to the start of the conversation.) As an example, here is the first part of the output for an ftp trace: # 134 chunks. 536 packets sent. 508 acks. 1 1 0.00 5.80 0.20 0.20 4 1 2 513 0.28 6.20 0.40 0.40 4 1 3 1025 1.16 6.32 1.20 1.20 4 1 4 1561 1.86 15.00 2.00 2.00 6 1 5 2049 2.16 15.44 2.20 2.20 5 1 6 2585 2.64 16.44 2.80 2.80 5 1 7 3073 3.00 16.66 3.20 3.20 4 1 8 3609 3.20 17.24 3.40 5.82 4 11 9 4097 6.02 6.58 6.20 6.80 2 5 This says that 134 chunks were transferred (about 70K since the average packet size was 512 bytes). It took 536 packets to transfer the data (i.e., on the average each chunk was transmitted four times). Looking at, say, chunk 4, we see it represents the 512 bytes of sequence space from 1561 to 2048. It was first sent 1.86 seconds into the conversation. It was last sent 15 seconds into the conversation and was sent a total of 6 times (i.e., it was retransmitted every 2 seconds on the average). It was acked once, 140ms after it first arrived. stime.awk atime.awk Output one line per send or ack, respectively, in the form where is the time in seconds since the start of the transfer and is the sequence number being sent or acked. I typically plot this data looking for suspicious patterns. The problem I was looking at was the bulk-data-transfer throughput of medium delay network paths (1-6 sec. round trip time) under typical DARPA Internet conditions. The trace of the ftp transfer of a large file was used as the raw data source. The method was: - On a local host (but not the Sun running tcpdump), connect to the remote ftp. - On the monitor Sun, start the trace going. E.g., tcpdump host local-host and remote-host and port ftp-data >tracefile - On local, do either a get or put of a large file (~500KB), preferably to the null device (to minimize effects like closing the receive window while waiting for a disk write). - When transfer is finished, stop tcpdump. Use awk to make up two files of summary data (maxsize is the maximum packet size, tracedata is the file of tcpdump tracedata): awk -f send-ack.awk packetsize=avgsize tracedata >sa awk -f packetdat.awk packetsize=avgsize tracedata >pd - While the summary data files are printing, take a look at how the transfer behaved: awk -f stime.awk tracedata | xgraph (90% of what you learn seems to happen in this step). - Do all of the above steps several times, both directions, at different times of day, with different protocol implementations on the other end. - Using one of the Unix data analysis packages (in my case, S and Gary Perlman's Unix|Stat), spend a few months staring at the data. - Change something in the local protocol implementation and redo the steps above. - Once a week, tell your funding agent that you're discovering wonderful things and you'll write up that research report "real soon now". ```

标签：API令, CLI工具, DNS枚举, Docker‑Compose, GitHub搜索工具, libpcap, Linux工具, tcpdump, Web爬虫, Wildcard支持, 协议分析, 安全仪表盘, 安全测试集成, 客户端加密, 客户端加密, 客户端加密, 客户端加密, 带宽管理, 开源软件, 情报分析, 抓包, 持续安全评估, 数据包嗅探, 数据包捕获, 权限提升, 流量分析, 用户界面自定义, 目录遍历, 端口探测, 端点发现, 网络取证, 网络安全, 网络安全工具, 网络监控, 网络诊断, 虚拟环境, 隐私保护